Blog

How to reset ESP8266 Deauther

Feb 6, 2022

Forgot the password of your Deauther or want to restore the default settings, then you have to do a reset! Here is a tutorial.

Basics

There are multiple ways to reset the ESP8266 Deauther. You can either send it a reset command via the USB serial connection - or you can override the firmware and settings by flashing it again.

Here we will be looking at resetting it via

• Huhnitor
• Arduino IDE
• Reflashing ESP8266 Deauther
• Using a reset sketch

It’s sufficient to choose **one **reset method. You don’t need to follow each one. If you’re unsure which path to pick, simply choose the first or whichever sounds more familiar/easier to you.

Reset via terminal.spacehuhn.com

We now have terminal.spacehuhn.com, an online serial terminal. A great alternative for which you don’t need to install anything. You only need a compatible browser. Learn more

1. Open terminal.spacehuhn.com with Chrome, Edge, or Opera for desktop. (Other browsers are not supported at the moment)
2. Click connect
3. Plugin your ESP8266 board
4. Select the port that pops up in the list and click connect
5. Type reset and press enter
6. Type save and press enter

Reset via Huhnitor

Huhnitor is a cross-platform Rust-based serial monitor that runs in a terminal. It’s made for interfacing with Deauther V3 easier through the USB serial command line, but you can also use it with any other version of the Deauther.

We already have an Huhnitor Installation Tutorial that you can check out. But for Windows users, installing is as easy as downloading a .exe file from the project’s GitHub and opening it.

🔗 Huhnitor Installation Tutorial: /blog/huhnitor-installation/

1. Start Huhnitor
2. Plugin your ESP8266 Deauther. It should automatically detect and connect to it via USB serial.
3. Type reset and press enter
4. Type save and press enter

Done 🎉

Reset via Arduino IDE

Arduino IDE is a popular tool among makers. You might have already used it to flash the Deauther firmware onto an ESP8266.

🔗 Arduino IDE download: https://www.arduino.cc/en/software

Here’s what you have to do:

1. Open Arduino IDE
2. Plugin your Deauther
3. Select the COM port of your Deauther at Tools > Port
4. Open the Serial Monitor at Tools > Serial Monitor
5. At the bottom of the Serial Monitor window, select Newline and 115200 baud
6. Type reset and press enter
7. Type save and press enter

Done 🎉

Another way to reset all settings is by flashing the firmware again. This option is great for anyone who wants to update and reset their Deauther simultaneously.

You need Arduino IDE and the ESP8266 Deauther project files to do this.

🔗 Arduino IDE download

🔗 ESP8266 Deauther firmware

Here’s what you have to do:

1. Extract the ESP8266 Deauther zip you downloaded
2. Go into the esp8266_deauther folder and open esp8266_deauther.ino with Arduino IDE
3. In Arduino IDE, go to File > Preferences and add this URL to the Additional Boards Manager URLs: https://raw.githubusercontent.com/SpacehuhnTech/arduino/main/package_spacehuhn_index.json
4. Now go to Tools > Board > Boards Manager, search deauther and install Deauther ESP8266 Boards
5. Select your board at Tools > Board and be sure it is at Deauther ESP8266 Boards (and not at ESP8266 Modules)!
6. To reset the settings select Tools > Erase Flash > All Flash Contents
7. Plugin your Deauther and select its COM port at Tools > Port
8. Press upload

Done 🎉

Reset using Reset Sketch

If nothing else works, there is also a reset sketch we made to erase the memory of the ESP8266.

You have to know how to flash the ESP8266 with either a .bin flasher tool or Arduino IDE. (A tutorial for Arduino IDE is described in the previous section).

🔗 Reset sketch Arduino file & .bin files

Keep in mind that the reset sketch also overrides the ESP8266 Deauther firmware. So you will need to install it again afterward.

Why the Deauthentication Attack isn't working

Jan 30, 2022

Plenty of you enjoy the ESP8266 Deauther project because it’s easy to get started with and makes you able to block specified WiFi connections. But what if that core feature isn’t working? There are a few things that could render the WiFi deauthentication attack ineffective. Here we will explore why that is.

Installation

If you are using the ESP8266 Deauther but starting a deauthentication attack results in a packet rate of 0 packets per second, you likely have to flash the firmware again.

If you’re using Arduino to install it, make sure you install and select one from the Deauther ESP8266 Boards section and not from the regular ESP8266 Boards. Because if you don’t, it will probably compile and work, but it won’t send deauth packets. However, other attacks like beacon and probe will work fine.

You can find the installation instructions here.

5 GHz Access Point

If you can send deauthentication packets, but your target isn’t getting disconnected, chances are high that you are trying to attack a dual-band network. Meaning it’s present on both 2.4 GHz and 5 GHz. Client devices will opt for the 5 GHz connection whenever they can since it provides higher bandwidth than a 2.4 GHz connection.

The ESP8266 is only able to work on the 2.4 GHz spectrum. And there is no way to make it work on 5 GHz, sorry. So make sure your target device is connected through 2.4 GHz. Otherwise, the attack will simply not work.

You could, however, use a 5 GHz USB WiFi adapter that can do packet injection. We made a tutorial for it: /blog/5ghz-deauther/.

Protected Management Frames

If you ever asked yourself, how one can be protected against the WiFi denial of service by deauthentication, the answer is Protected Management Frames.

They were first introduced in 2009 with the 802.11w standard and allow management frames like the deauthentication packet to be secure against spoofing - or at least secure enough to make attacks like this impractical.

But for a long time, this feature was not implemented in consumer WiFi devices. And when it was, it usually wasn’t enforced by the access point to stay backward compatible so that older WiFi clients without this feature could still connect.

Today, WiFi-certified hardware must have this feature, and WPA3 networks have to enforce it. So deauthing a WPA3 network is unlikely to work.

If your network uses protected management frames, deauthentication attacks will not work. Often the only way to figure out if a network is secure is by testing it. We made the ESP8266 Deauther project so you can perform such pentests easily.

Reason codes

Every deauthentication packet contains a code to indicate why the recipient has been disconnected. This so-called reason code can be changed in the ESP8266 Deauther. By default, it’s on 1 (Unspecified reason), but plenty of other reason codes are available: /blog/wifi-deauthentication-frame/#reason-codes.

Using a different reason code shouldn’t make any difference. However, users of our tool have told us that changing it can result in a more or less effective attack.

With the ESP8266 Deauther, you can change the reason code in the settings.

Attack a Station (not an AP)

Deauthentication attacks can target a single connection or, by broadcasting the packet, every connection to this access point.

We’ve observed cases where a deauthentication attack against the access point was not effective, but against a specific client, it was.

So instead of attacking an access point (AP) and every device that is connected to it, you can also scan for client devices (Stations) and target one of those specifically. Keep in mind though that to find a station, it has to be actively sending packets while you’re scanning. Otherwise, you won’t detect it even if it’s connected and in range.

Verdict

If all this sounds like an unstable hack and you don’t really know if it will work until you try, you are correct!

Deauthentication attacks are an exploit. Some devices have addressed and fixed it, and others haven’t. An old access point can keep us from using the latest security features our modern clients are capable of. But enforcing new technology means trouble for backward compatibility. After all, we expect WiFi to work with all our devices flawlessly.

If you’re interested in starting to learn about WiFi security, a tool like the ESP8266 Deauther can be a great start. It’s affordable and relatively easy to use. With it, you will be able to test your home network(s) and devices and have a great starting point for further research.

But please don’t be sad if you can’t deauthenticate your home network because it’s up to date with basic security measures. If anything, it’s good, and you should be glad!

Hacking means being creative and just trying things out. So we hope that the tips in this post will help you on that journey.

If you need to test different access points, you can also create one easily using your phone’s hotspot feature (though that access point might also be protected depending on the phone). But maybe you know someone who has an old router or phone that you can borrow to set up a WiFi access point for testing.

Good luck and happy hacking :)

WiFi Deauthentication Frame Explained

Jan 23, 2022

The structure and functionality of deauthentication frames are something we get asked about regularly. So we thought it was time for a blog post to explore what they are and how they work.

What is a Deauthentication Frame?

The Deauthentication Frame is a type of packet defined in the IEEE 802.11 WiFi standard. It has been part of the standard since the beginning and still plays an important role.

It’s used to terminate a WiFi connection. It can be sent by either the access point or the station to let the other side know that the connection is closed.

In case you’re unfamiliar with the terminology, the access point (AP) is a device that provides access to a WiFi network, for example, your home router. While a station is a client device that can connect to an access point, for example, your phone.

The station might send a deauthentication frame to the access point because it’s switching to another WiFi network. Or the access point might send a deauthentication frame to the station because the router has to restart. Deauthentication works both ways, and there are plenty of reasons why they are sent - you can find a complete list of reasons below.

But one crucial attribute of the deauthentication frame is that it’s not a request; it’s a notification, and it can not be refused.

Structure of a Deauthentication Frame

The actual data the packet holds is very minimal:

Deauthentication frame body

Order	Information
1	Reason code
Last – 1	One or more Vendor Specific elements are optionally present.
Last	The MME is present when management frame protection is enabled at the AP and the frame is a group addressed frame.

But if you look at a deauthentication frame in Wireshark, you’d see more than just the frame body. That’s because deauthentication packets are part of the family of WiFi management frames, and their format looks like this:

Octets	Description
2	Frame Control
2	Duration
6	Address 1
6	Address 2
6	Address 3
2	Sequence Control
0 or 4	HT Control
variable	Frame Body
4	FCS

In the ESP8266 Deauther’s code, a packet looks like this:

uint8_t deauthPacket[26] = {
    /*  0 - 1  */ 0xC0, 0x00,                         // type, subtype c0: deauth (a0: disassociate)
    /*  2 - 3  */ 0x00, 0x00,                         // duration (SDK takes care of that)
    /*  4 - 9  */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // reciever (target)
    /* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // source (ap)
    /* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // BSSID (ap)
    /* 22 - 23 */ 0x00, 0x00,                         // fragment & squence number
    /* 24 - 25 */ 0x01, 0x00                          // reason code (1 = unspecified reason)
};

Deauthentication frame definition in ESP8266 Deauther code You can find this definition in the Attack.h file.

You might notice that some data is left out of this array. For example, the frame check sequence (FCS) is not defined here. That’s because it’s already handled by the underlying ESP8266 SDK functions automatically. The same goes for the duration and the flags in the second byte of the frame control field.

Reason codes

As mentioned, every deauthentication frame has to contain a code for the reason of disconnect. Here is a list of the available reason codes and what they mean.

Yes, the list is quite long…

Code	Description
0	reserved
1	Unspecified reason
2	Previous authentication no longer valid
3	Deauthenticated because sending STA is leaving (or has left) the BSS
4	Disassociated due to inactivity
5	Disassociated because AP is unable to handle all currently associated STAs
6	Class 2 frame received from nonauthenticated STA
7	Class 3 frame received from nonassociated STA
8	Disassociated because sending STA is leaving (or has left) BSS
9	STA requesting (re)association is not authenticated with responding STA
10	Disassociated because the information in the Power Capability element is unacceptable
11	Disassociated because the information in the Supported Channels element is unacceptable
12	Disassociated due to BSS transition management
13	Invalid element, i.e., an element defined in this standard for which the content does not meet the specifications in Clause 9
14	Message integrity code (MIC) failure
15	4-way handshake timeout
16	Group key handshake timeout
17	Element in 4-way handshake different from (Re)Association Request/Probe Response/Beacon frame
18	Invalid group cipher
19	Invalid pairwise cipher
20	Invalid AKMP
21	Unsupported RSNE version
22	Invalid RSNE capabilities
23	IEEE 802.1X authentication failed
24	Cipher suite rejected because of the security policy
25	TDLS direct-link teardown due to TDLS peer STA unreachable via the TDLS direct link
26	TDLS direct-link teardown for unspecified reason
27	Disassociated because session terminated by SSP request
28	Disassociated because of lack of SSP roaming agreement
29	Requested service rejected because of SSP cipher suite or AKM requirement
30	Requested service not authorized in this location
31	TS deleted because QoS AP lacks sufficient bandwidth for this QoS STA due to a change in BSS service characteristics or operational mode (e.g., an HT BSS change from 40 MHz channel to 20 MHz channel)
32	Disassociated for unspecified, QoS-related reason
33	Disassociated because QoS AP lacks sufficient bandwidth for this QoS STA
34	Disassociated because excessive number of frames need to be acknowledged, but are not acknowledged due to AP transmissions and/or poor channel conditions
35	Disassociated because STA is transmitting outside the limits of its TXOPs
36	Requesting STA is leaving the BSS (or resetting)
37	Requesting STA is no longer using the stream or session
38	Requesting STA received frames using a mechanism for which a setup has not been completed
39	Requested from peer STA due to timeout
40–45	Reserved
46	In a Disassociation frame: Disassociated because authorized access limit reached
47	In a Disassociation frame: Disassociated due to external service requirements
48	Invalid FT Action frame count
49	Invalid pairwise master key identifier (PMKID)
50	Invalid MDE
51	Invalid FTE
52	Mesh peering canceled for unknown reasons
53	The mesh STA has reached the supported maximum number of peer mesh STAs
54	The received information violates the Mesh Configuration policy configured in the mesh STA profile
55	The mesh STA has received a Mesh Peering Close frame requesting to close the mesh peering.
56	The mesh STA has resent dot11MeshMaxRetries Mesh Peering Open frames, without receiving a Mesh Peering Confirm frame.
57	The confirmTimer for the mesh peering instance times out.
58	The mesh STA fails to unwrap the GTK or the values in the wrapped contents do not match
59	The mesh STA receives inconsistent information about the mesh parameters between mesh peering Management frames
60	The mesh STA fails the authenticated mesh peering exchange because due to failure in selecting either the pairwise ciphersuite or group ciphersuite
61	The mesh STA does not have proxy information for this external destination.
62	The mesh STA does not have forwarding information for this destination.
63	The mesh STA determines that the link to the next hop of an active path in its forwarding information is no longer usable.
64	The Deauthentication frame was sent because the MAC address of the STA already exists in the mesh BSS.
65	The mesh STA performs channel switch to meet regulatory requirements.
66	The mesh STA performs channel switching with unspecified reason.
67	Transmission link establishment in alternative channel failed.
68	The alternative channel is occupied.
69–65535	Reserved

Disassociation vs. Deauthentication

Besides the deauthentication frame, there is also the disassociation frame. They sound similar, work similar, and their structure is basically identical.

To understand the difference between Disassociation and Deauthenticatios, we have to understand the difference between WiFi association and authentication.

When you connect to a WiFi network, you first authenticate yourself. This is done by entering a password, for example. Then, to use the WiFi network, you now have to associate to an access point. It’s simply another step before you can start browsing the web through WiFi. Of course, this is all done automatically and really fast.

In the case of a regular home router, you both authenticate and associate to the same access point. And if you disconnect, you both deauthenticate and disassociate to the same access point. But in a larger network made out of multiple access points, you might disassociate from one access point and associate to a new one while staying authenticated to the same network.

How deauthentication frames can be exploited

Deauthentication frames are very simple in their structure. You basically only need a sender or receiver MAC address. And you can obtain such by simply scanning for WiFi devices nearby.

So it’s super easy to spoof a deauth packet. And keep in mind that if the target receives it, it has to drop its connection.

The target can reconnect immediately, of course, and it can do that quite fast, maybe without the user noticing that the connection was ever dropped. But if these deauth packets are sent continuously, it results in a denial of service attack, and network access is blocked for the entirety of the attack.

Luckily this was addressed, and we now have protected management frames! This feature allows packets like deauthentication frames to be safe against spoofing.

The only problem with this feature is that not every access point has it enabled yet. If you want to test if your network is safe against this type of attack, check out our ESP8266 Deauther project.

How to deal with "timed out waiting for packet header"

Jan 15, 2022

How to fix issues like espcomm_open failed or Write timeout.

WiFi Duck Scripting

Dec 26, 2021

Our popular wireless BadUSB tool WiFi Duck is programmable using a simple scripting language. Here we will have a look at all the available commands and functions.

Check the documentation to learn more about this project.

About

The scripting language used for the WiFi Duck is made to be compatible with Ducky Script from the awesome people at Hak5. This allows you to use any Ducky Scripts you can find on the interwebs.

For example, you can find some great payloads on Github. Duck Toolkit also has a library of common payloads.

Basics

The scripting language is straightforward, here are the basics:

• Keys are separated by a single space.
• Everything written in a single line gets pressed and released at the same time.
• To write text, use the STRING function.

Example	Explanation
WINDOWS r	Type the Windows key and then the r key
WINDOWS r	Press the Windows key and the r key simultaneously
STRING WINDOWS r	Write WINDOWS r

Functions

Command	Example	Description
REM	REM Hello World!	Comment
DEFAULTDELAY or DEFAULT_DELAY	DEFAULTDELAY 200	Time in ms between every command
DELAY	DELAY 1000	Delay in ms
STRING	STRING Hello World!	Types the following string
REPEAT or REPLAY	REPEAT 3	Repeats the last command n times
LOCALE	LOCALE DE	Sets the keyboard layout. Currently supported: DE, ES, GB, US, DK, RU, FR, BE, PT, IT
KEYCODE	KEYCODE 0x02 0x04	Types a specific key code (modifier, key1[, …, key6]) in decimal or hexadecimal
LED	LED 40 20 10	Changes the color of the LED in decimal RGB values (0-255)

Standard Keys

Key
a - z
A - Z
0 - 9
F1 - F12

Modifier Keys

Key
CTRL or CONTROL
SHIFT
ALT
WINDOWS or GUI

Other Keys

Key
ENTER
MENU or APP
DELETE
HOME
INSERT
PAGEUP
PAGEDOWN
UP or UPARROW
DOWN or DOWNARROW
LEFT or LEFTARROW
RIGHT or RIGHTARROW
TAB
END
ESC or ESCAPE
SPACE
PAUSE or BREAK
CAPSLOCK
NUMLOCK
PRINTSCREEN
SCROLLLOCK

Examples

REM Hello World for Windows PCs
DEFAULTDELAY 200
GUI r
STRING notepad
ENTER
STRING Hello World!

Hello World for Windows PCs

Newer posts

Older posts